Web Hosting Forum Login
Not a member yet? Sign up

What is sending spam on my server !

  • FORUMS
  • WEB DESIGN
  • WEB HOSTING OFFERS
  • ADVERTISING
  • WEB HOSTING
  • REQUEST A HOST
  • BEST WEB HOSTING
  • QUICK MENU
  • REGISTER HERE - Join us for FREE
Results 1 to 19 of 19
  1. #1
    Join Date
    Jul 2016
    Location
    Hertfordshire, UK
    Posts
    956
    Thanks
    40
    Thanked 186 Times in 155 Posts
    Thumbs Up/Down
    Received: 470/3
    Given: 138/4

    Angry What is sending spam on my server !

    I was just creating some new content for the LJSHost knowledge base and thought this article would be a nice tutorial for all you WHM VPS owners with spam problems

    Finding out what script is spamming on a WHM server


    Spam or unsolicited email is a huge problem for anyone with a server, it is estimated that around 90% of all email worldwide is junk mail. Spammers can have a negative impact on your server in many ways included consuming all server resources resulting in poor performance and getting your IP address blacklisted preventing you from sending mail to some providers from your server.

    Spammers send junk mail in a couple of different ways sometimes from an external mail client but more often from a script uploaded to your server. Compromised CMS platforms such as WordPress are often the cause of spam due to being hijacked by a hacker who is using your contact form to send thousands of messages.

    So now you know the problem let's talk about what you can do about it and shut it down.

    All mail servers have an MTA (Mail Transport Agent) that receives mail from mail clients, web applications and other servers which have mail for users on your server. WHM uses the Exim transport agent which this guide will be focusing on but these forensic techniques can be adjusted for other mail transport agents.

    Locating the script that is spamming


    Code:
     grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    This command will scan the exim_mainlog file which is where Exim logs all mail activity. It might look complex but it’s just a few simple Linux command piped together.

    How the command works

    Code:
    grep cwd /var/log/exim_mainlog
    - Show all row with ‘cwd’ (current working directory) in the log

    Code:
    grep -v /var/spool
    - Use the grep with the -v to show an invert match, so to exlcude /var/spool which are normal Exim delivers not from a script.

    Code:
     awk -F"cwd=" '{print $2}' | awk '{print $1}'
    - format the output so we only see the data we need.

    Code:
    sort | uniq -c | sort -n
    - Sort the script paths by name, count them and format the output numerically from lowest to highest.


    Code:
          12 /home/account1/public_html/folder1
          43 /home/account2
          1652 /home/account3/public_html/scripts
          32 /home/account12/data/
          16 /home/account5/public_html
          19 /home/account 9/public_html
           7 /home/account21/public_html/content/scripts
          14 /home/account43/public_html/wp-content/themes/twentythirteen
          58 /home/account 45/public_html/tmp/
          20 /home/account31/public_html/wp-includes/js/imgareaselect
         346 /etc/csf
         794 /usr/local/cpanel/whostmgr/docroot
         1209 /
         187175 /root
    This is a typical output from the command. All user data is contained within the /home/ directory which are the results you want to focus on /etc/csf /root for example are system generated emails which are only internal sending firewall reports, cron job notifications etc.

    As you can see from the output 1652 /home/account3/public_html/scripts is the most likely suspect and shows 1652 mails sent from a script in the scripts folder.

    Lets take a look in the scripts directory to see what we find.

    Code:
    ls -lahtr  /home/account3/public_html/scripts

    Code:
     -rw-r--r-- 1 account3 account3 5.6K Apr 14 23:27 spam_script.php
    Here we find the script spam_script.php which is the php program sending the spam. In a real world situation the file will be called something innocent such as wp-plug-contact.php to make it look like a genuine file.

    A quick view of this file will show mail() functions etc to send the spam.

    All you need to do the stop the spam is delete the file.
    Web Hosting | Reseller | VPS
    30 Day Money Back Guarantee | cPanel | 365 Day UK Support | Free Trial
    https://www.ljshost.com

  2. The Following 9 Users Say Thank You to LJSHost For This Useful Post:
    Cheerag Nundlall (03-03-2017),cloudean (02-08-2017),DaRecordon (02-20-2017),David Beroff (04-14-2017),Dr. McKay (02-08-2017),energizedit (02-08-2017),HostXNow (02-08-2017),Kaz Wolfe (07-26-2017),webhostuk (02-08-2017)

  3. #2
    Join Date
    Feb 2017
    Posts
    72
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Thumbs Up/Down
    Received: 15/0
    Given: 0/0
    That is awesome a lot of time files rebuild form types of malware and viruses
    does this stop them from rebuilding
    Have used other programs that have help us and our clients
    This one will be very useful as well awesome job
    DTS-NET Unlimited & Unmetered
    Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Managed Plans Available
    VPS | OpenVZ | XEN | KVM| No Limit Web Hosting | Dedicated Servers & Colocation

  4. #3
    Join Date
    Nov 2016
    Posts
    136
    Thanks
    45
    Thanked 3 Times in 3 Posts
    Thumbs Up/Down
    Received: 10/0
    Given: 171/0
    It would be great if i can use these ways on a Linux server without WHM/cPanel, for instance, on a LEMP stack, Plesk, Directadmin or other hosting control panels?
    I have several VPS using WHM/cPanel and I will check them with your codes and see how it works.

    Thanks for sharing useful tips!

  5. #4
    Join Date
    Jan 2017
    Location
    UK
    Posts
    80
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Thumbs Up/Down
    Received: 37/0
    Given: 0/0
    You have really provider a good information for many of the users who got unmanaged servers or VPS. Spamming is a major concern and to understand what exactly is causing the problem can only stop the issue from occurring again and again on the server.

  6. #5
    Join Date
    Nov 2014
    Posts
    354
    Thanks
    16
    Thanked 24 Times in 20 Posts
    Thumbs Up/Down
    Received: 146/1
    Given: 99/0
    I've been using the same methods for many years and they sure do help a lot! Very nice detailed guide you did on it, though. Good job!

    PS I would also suggest monitoring all your server IPs on blacklists using HetrixTools, too.

  7. #6
    Join Date
    Jul 2016
    Location
    Hertfordshire, UK
    Posts
    956
    Thanks
    40
    Thanked 186 Times in 155 Posts
    Thumbs Up/Down
    Received: 470/3
    Given: 138/4
    Quote Originally Posted by DTS-NET View Post
    That is awesome a lot of time files rebuild form types of malware and viruses
    does this stop them from rebuilding
    Have used other programs that have help us and our clients
    This one will be very useful as well awesome job
    No this will not stop the attacker uploading the script again if that is what you mean ?

    Our policy on this is to suspend the account and get the customer to clean everything out and we change all the account password's, we also advise customers to run malware/virus scans of any PC's they are using to connect to the server.

    With a customers WordPress site for example we advise to delete everything excluding the database and then help the customer re install fresh and provide the database connection details to them. Spam activity is stopped 95% of the time after these actions are taken. I have seen user cron jobs downloading the script again using wget and creating a 5 min cron to execute it.

    Those pesky hackers
    Web Hosting | Reseller | VPS
    30 Day Money Back Guarantee | cPanel | 365 Day UK Support | Free Trial
    https://www.ljshost.com

  8. #7
    Join Date
    Jul 2016
    Location
    Hertfordshire, UK
    Posts
    956
    Thanks
    40
    Thanked 186 Times in 155 Posts
    Thumbs Up/Down
    Received: 470/3
    Given: 138/4
    Quote Originally Posted by Dr. McKay View Post
    It would be great if i can use these ways on a Linux server without WHM/cPanel, for instance, on a LEMP stack, Plesk, Directadmin or other hosting control panels?
    I have several VPS using WHM/cPanel and I will check them with your codes and see how it works.

    Thanks for sharing useful tips!
    Yes you can use this method with other MTA's/Setups you just need to modify the mail log location in the script and perhaps change the output formatting to reflect the style of the log file.
    Web Hosting | Reseller | VPS
    30 Day Money Back Guarantee | cPanel | 365 Day UK Support | Free Trial
    https://www.ljshost.com

  9. #8
    Join Date
    Dec 2016
    Location
    Midwest USA
    Posts
    254
    Thanks
    23
    Thanked 12 Times in 12 Posts
    Thumbs Up/Down
    Received: 115/0
    Given: 35/0
    Thanks for this info, I'm always trying to look back through forums/emails etc. to find these commands again, when there is a mail issue on one of my servers. Great info for anyone running their own server.

  10. #9
    Join Date
    Mar 2017
    Location
    New York City
    Posts
    155
    Thanks
    3
    Thanked 2 Times in 2 Posts
    Thumbs Up/Down
    Received: 23/5
    Given: 23/3
    thanks I just bookmarked this

  11. #10
    Join Date
    Apr 2016
    Posts
    103
    Thanks
    15
    Thanked 0 Times in 0 Posts
    Thumbs Up/Down
    Received: 3/0
    Given: 155/0
    I am wondering how the OP determined an email is spam mail or not.

    Which command do this job?

    Or do I need to do as following step you guided above?

  12. #11
    Join Date
    Jul 2016
    Location
    Hertfordshire, UK
    Posts
    956
    Thanks
    40
    Thanked 186 Times in 155 Posts
    Thumbs Up/Down
    Received: 470/3
    Given: 138/4
    You need to view the email to decided if it is spam however most of the time the Subjects will all be the same.

    Identifying out going SPAM needs to be done before the steps in this guide which is done by viewing the logs either with WHM or the eximstats tools. The guide I posted as aimed towards drilling down to the root cause and stopping it once you have identified a mailbox is spamming. Most spam is automated on the server with PHP these days, Spammers don't send remotely via SMTP as they used it but it still happens.
    Web Hosting | Reseller | VPS
    30 Day Money Back Guarantee | cPanel | 365 Day UK Support | Free Trial
    https://www.ljshost.com

  13. #12
    Join Date
    Apr 2017
    Posts
    50
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Thumbs Up/Down
    Received: 17/0
    Given: 5/0
    This is really very valuable information to take care of unmanaged servers.

    Thanks LJSHost really appreciate.

  14. #13
    Join Date
    Jan 2017
    Posts
    48
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thumbs Up/Down
    Received: 12/0
    Given: 0/0
    Thanks LJSHOst for this detailed writing. I have searched over here & there to sort out a system to detect spamming script but couldn't find out. Thanks a lot. I used LMD & ClamAV to find them out previously.

  15. #14
    Join Date
    Apr 2017
    Posts
    75
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Thumbs Up/Down
    Received: 21/0
    Given: 10/0
    Great post, this will surely help a lot of people out!

  16. #15
    Join Date
    Jun 2017
    Location
    Philippines
    Posts
    20
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thumbs Up/Down
    Received: 3/0
    Given: 7/0
    Thank you for this post. I am learning a lot by just reading these posts. I also have bookmarked this for future reference.
    Thank you guys!

    Cheers!

  17. #16
    Join Date
    Mar 2016
    Posts
    31
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Thumbs Up/Down
    Received: 12/0
    Given: 4/0
    Aewsome sharing but I think its limited to WHM.
    I had a dedicated server multiple times suspended due to some of the client abusing it. The only way I knew it was getting the server suspended and they telling me the ip of the client. Can anybody guide me for how to avoid spamming on my dedicated box with multiple clients using VPS.

  18. #17
    Join Date
    Jul 2016
    Location
    Hertfordshire, UK
    Posts
    956
    Thanks
    40
    Thanked 186 Times in 155 Posts
    Thumbs Up/Down
    Received: 470/3
    Given: 138/4
    It all depends on what MTA those servers are using. The method I detailed can be used with any MTA you just need to change the spool and log file location relevant to the MTA configuration.
    Web Hosting | Reseller | VPS
    30 Day Money Back Guarantee | cPanel | 365 Day UK Support | Free Trial
    https://www.ljshost.com

  19. #18
    Join Date
    Jul 2017
    Location
    Nashik, Maharashtra, India
    Posts
    91
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Thumbs Up/Down
    Received: 20/0
    Given: 5/0
    I would like to add some more commands addition to your commands -

    1. Once you will check the mail count of all accounts on server in ascending order using below command

    exim -bpc; grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    After that you can check the logs of particular email address which has highest email count in email queue using below command -

    grep email address /var/log/exim_mainlog
    2. When you will check the email logs for the email address that time you can find the email subject too which will specify whether the email account is sending spam emails from it or not.

    3. Addition to above command, you can use below commands too -

    Checking the header of the mail -
    exim -Mvh message id
    Checking the body of mail - exim -
    Mvb message id
    4. You can check the number of emails in exim mail queue using below command -
    exim -bpr | grep "<" | wc -l

    When you are sure with the script or email account that it is sending the spam emails then you can take below recommended actions -

    If the spamming using script is there then use below guidelines-
    1. Disable the script from the server that is change it's permission to 000 with ownership as root.
    2. Rename that script.

    So spammer no longer use that script.

    If the spamming using email account is there then then use below guidelines-
    1. Reset the email account's password as soon as possible. The password should be combination of small and capital letters, numbers, special characters so it will become strong password and email account can't be hacked easily.
    2. Reset the control panel's password from where you are accessing the emails.
    3. If there is still spamming then it's recommended to remove the email account from server.

  20. #19
    Join Date
    Jan 2017
    Location
    Miami, FL
    Posts
    89
    Thanks
    13
    Thanked 12 Times in 12 Posts
    Thumbs Up/Down
    Received: 60/0
    Given: 30/0
    Quote Originally Posted by Waqass View Post
    Aewsome sharing but I think its limited to WHM.
    I had a dedicated server multiple times suspended due to some of the client abusing it. The only way I knew it was getting the server suspended and they telling me the ip of the client. Can anybody guide me for how to avoid spamming on my dedicated box with multiple clients using VPS.
    If your Virtualization is OpenVZ you can run nodewatch and also you can configure it to suspend the abuse VPS only before be suspended from your provider, on KVM it is a little more complicated but you can use Pinguzo and can find the abuse VPS and suspend it manually.

Newer Threads

  1. DTS-NET
    augusta
    Replies: 8 | Views: 542
    Last post by augusta, 07-31-2017, 12:31 AM
  2. bknights
    hostens
    Replies: 3 | Views: 1028
    Last post by hostens, 02-10-2017, 09:19 AM
  3. bknights
    bknights
    Replies: 7 | Views: 1279
    Last post by bknights, 02-10-2017, 09:21 AM
  4. marcyslen
    casualhost
    Replies: 9 | Views: 2583
    Last post by casualhost, 05-20-2017, 01:42 PM
  5. archhosting
    archhosting
    Replies: 0 | Views: 263
    Last post by archhosting, 02-08-2017, 08:52 AM

Older Threads

  1. HeadSage
    wittwerch
    Replies: 6 | Views: 706
    Last post by wittwerch, 02-10-2017, 06:53 AM
  2. hostuto
    hostuto
    Replies: 2 | Views: 541
    Last post by hostuto, 02-08-2017, 03:00 PM
  3. samrakucanica
    Laravel programing
    By samrakucanica in forum Web Programming
    myvirtualst1008
    Replies: 5 | Views: 543
    Last post by myvirtualst1008, 06-02-2017, 11:13 AM
  4. bagerze
    SenseiSteve
    Replies: 12 | Views: 2405
    Last post by SenseiSteve, 04-10-2017, 07:21 PM
  5. R Langley
    Luxin Host
    Replies: 2 | Views: 477
    Last post by Luxin Host, 03-22-2017, 06:16 PM

Latest Threads

  1. David Beroff
    VirtuBox
    Replies: 1 | Views: 18
    Last post by VirtuBox, Today, 03:37 AM
  2. exa-edward
    exa-edward
    Replies: 4 | Views: 113
    Last post by exa-edward, Today, 09:55 AM
  3. JFSG
    JFSG
    Replies: 0 | Views: 27
    Last post by JFSG, Yesterday, 07:43 PM
  4. UltratechHost
    UltratechHost
    Replies: 0 | Views: 15
    Last post by UltratechHost, Yesterday, 04:31 PM
  5. macklong
    macklong
    Replies: 0 | Views: 21
    Last post by macklong, Yesterday, 01:10 AM

Similar Threads

  1. wpspeedster
    SisterMachineGun
    Replies: 8 | Views: 999
    Last post by SisterMachineGun, 05-17-2017, 08:22 PM
  2. laurensmith
    ulterios
    Replies: 1 | Views: 451
    Last post by ulterios, 08-27-2016, 10:36 PM
  3. Content by Rhonda
    elcidofaguy
    Replies: 2 | Views: 893
    Last post by elcidofaguy, 02-13-2015, 05:38 PM
  4. fromrachel
    fromrachel
    Replies: 0 | Views: 655
    Last post by fromrachel, 02-19-2014, 06:32 AM
  5. Harris
    nelson45
    Replies: 1 | Views: 965
    Last post by nelson45, 05-14-2013, 06:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Web Hosting Forum

ForumWeb.Hosting is a web hosting forum where you’ll find in-depth discussions and resources to help you find the best hosting providers for your websites or how to manage your hosting whether you are new or experienced. You’ll find it all here. With topics ranging from web hosting, internet marketing, search engine optimization, social networking, make money online, affiliate marketing as well as hands-on technical support for web design, programming and more. We are a growing community of like-minded people that is keen to help and support each other with ambitions and online endeavors. Learn and grow, make friends and contacts for life.

Community

The world's smartest hosting providers come here to discuss & share what's trending in the web hosting world!
Copyright ©2017, ForumWeb.Hosting. All rights reserved. Web Hosting Forum for webmasters, web hosting providers, designers and web developers.

Welcome to Forum Web Hosting

The World's Number 1 Web Hosting Community, Reviews & Services

Log in!

Continue with Facebook
Continue With Email. By signing up you indicate that you have read and agree to the Terms of Service and Privacy Policy.

Sign in Manually

Need an account? Sign up now!